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CCNA Security Lab 13 - Catalyst Switch Port-Based Traffic Control - CLI 

Lab 13 

Catalyst Switch Port-Based Traffic Control 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how enable 
port-based traffic control features on Cisco IOS Catalyst switches. 

Lab Purpose: 

Catalyst switch port-based traffic control features are implemented at the 
port-level on Cisco IOS Catalyst switches and provide per-port security on these 
devices. 

Lab Difficulty: 

This lab has a difficulty rating of 8/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use any single switch to complete this lab: 



This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs 
GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges 
used in this lab with those available on your switch. For example, if you only have 12-10/100 
FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that 
you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the 
GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute 
GigabitEthernetO/1 and GigabitEthernetO/2 with FastEthernetO/11 and FastEthernetO/12, for example. 


Lab 13 Configuration Tasks 


Task 1: 





Configure the hostname on Swl as illustrated in the diagram. In addition to this configure Swl so that it 
operates in Transparent mode switch in VTP domain SECURITY. This domain should be secured by the 
password secure for security purposes. 

Task 2: 

Configure storm control on ports FastEthernetO/1 — FastEthernetO/8 as follows: 

Traffic Type Suppress when exceeds (%) Forward when below (%) 


Broadcast 

15 

10 

Multicast 

80 

50 

Unicast 

95 

75 


When these thresholds are exceeded, Swl should send an SNMP Trap notification to server 
192.168.1.254. This server uses the SNMP community STRMCTRL as a RO community. 

Task 3: 

Configure FastEthernetO/9 — FastEthernetO/15 so that there is never an exchange of Unicast, 
Broadcast, or Multicast traffic between these ports on the switch. 

Task 4: 

Configure FastEthernetO/16 — FastEthernetO/24 so that these ports send an SNMP trap when a MAC 
address is added to the entries already learned. 


Lab 13 Configuration and Verification 
Task 1: 


Switch(config)#hostname Swl 

Swl(config)#vtp mode transparent 

Setting device to VTP TRANSPARENT mode. 
Swl(config)#vtp domain SECURITY 

Changing VTP domain name from Null to SECURITY 

Swl(config)#vtp password secure 

Setting device VLAN database password to secure 

Swl(config)#exit 

Swl# 


Swl#show vtp status 

VTP Version 

Configuration Revision 

Maximum VLANs supported locally 

Number of existing VLANs 

VTP Operating Mode 

VTP Domain Name 

VTP Pruning Mode 

VTP V2 Mode 

VTP Traps Generation 

MD5 digest 


2 

0 

250 

5 

Transparent 

SECURITY 

Enabled 

Enabled 

Disabled 

0x32 0xB2 0x45 0x18 OxBl 0x28 0x56 0x70 


Configuration last modified by 0.0.0.0 at 3-1-93 00:17:41 


Task 2: 


<ma/ 1 frnnfintf int ra nnp factpthprnptn /1 - R 




Swl(config-if-range)#storm-control broadcast level 15.00 10.00 
Sw l(config-if-range)#storm-control multicast level 80.00 50.00 
Sw l(config-if-range)#storm-control unicast level 95.00 75.00 
Sw l(config-if-range)#storm-control action trap 

Sw l(config-if-range)#exit 

Sw l(config)#snmp-server host 192.168.1.254 traps STRMCTRL 
Sw l(config)#snmp-server community STRMCTRL ro 10 
Swl(config)#access-list 10 permit 192.168.1.254 

Sw l(config)#exit 
Sw 1# 

Sw l#show snmp 

Chassis: FOC0730W239 
0 SNMP packets input 

0 Bad SNMP version errors 
0 Unknown community name 
0 Illegal operation for community name supplied 
0 Encoding errors 
0 Number of requested variables 
0 Number of altered variables 
0 Get-request PDUs 
0 Get-next PDUs 
0 Set-request PDUs 
0 SNMP packets output 

0 Too big errors (Maximum packet size 1500) 

0 No such name errors 
0 Bad values errors 
0 General errors 
0 Response PDUs 
0 Trap PDUs 

SNMP global trap: disabled 

SNMP logging: enabled 

Logging to 192.168.1.254.162, 0/10, 0 sent, 0 dropped. 

SNMP agent enabled 


Sw 1# 


Swl# 


Swl#show storm-control broadcast 


Interface 

Filter State 

Trap State 

Upper 

Lower Current Traps Sent 

Fa 0/1 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/2 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/3 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/4 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/5 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/6 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/7 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

Fa 0/8 

Forwarding 

Below rising 

15.00% 

10.00% 

0.00% 

0 

—[Truncated Output]- 

— 





Swl# 







Swl#show storm-control multicast 





Interface 

Filter State 

Trap State 

Upper 

Lower Current Traps Sent 

Fa 0/1 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/2 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/3 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/4 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/5 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/6 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/7 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

Fa 0/8 

Forwarding 

Below rising 

80.00% 

50.00% 

0.00% 

0 

—[Truncated Output]- 

— 





Swl# 







Swl#show storm-control unicast 





Interface 

Filter State 

Trap State 

Upper 

Lower Current Traps Sent 

Fa 0/1 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

0 

Fa 0/2 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

0 

Fa 0/3 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

0 

Fa 0/4 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

0 

Fa 0/5 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

0 






0 


Fa 0/6 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

Fa 0/7 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 

Fa 0/8 

Forwarding 

Below rising 

95.00% 

75.00% 

0.00% 


Task 3: 

Swl(config)#int range fO/9 - 15 

Swl(config-if-range)#switchport protected 
Sw l(config-if-range)#exit 
Swl(config)#exit 
Swl# 

Swl#show interfaces fastethernetO/15 switchport 

Name: FaO/15 

Switchport: Enabled 

Administrative Mode: dynamic desirable 

Operational Mode: down 

Administrative Trunking Encapsulation: dotlq 

Negotiation ofTrunking: On 

Access Mode VLAN: 1 (default) 

Trunking Native Mode VLAN: 1 (default) 

Voice VLAN: none 

Administrative private-vlan host-association: none 

Administrative private-vlan mapping: none 

Operational private-vlan: none 

Trunking VLANs Enabled: ALL 

Pruning VLANs Enabled: 2-1001 

Capture Mode Disabled 

Capture VLANs Allowed: ALL 

Protected: true 

Voice VLAN: none (Inactive) 

Appliance trust: none 

Task 4: 

Swl(config)#mac-address-table notification 
Swl(config)#snmp-server enable traps mac-notification 
Sw l(config)#interface range fO/16 - 24 



Sw l(config-if-range)#snmp trap mac-notification added 

Sw l(config-if-range)#exit 
Sw l(config)#exit 
Sw 1# 

Swl#show mac-address-table notification 
MAC Notification Feature is Enabled on the switch 

Interval between Notification Traps : 1 secs 

Number of MAC Addresses Added : 0 

Number of MAC Addresses Removed : 0 

Number of Notifications sent to NMS : 0 

Maximum Number of entries configured in History Table : 1 

Current History Table Length : 0 

MAC Notification Traps are Enabled 

History Table contents 


Sw 1# 

Sw 1# 

Swl#show mac-address-table notification interface fO/24 

MAC Notification Feature is Enabled on the switch 
Interface MAC Added Trap MAC Removed Trap 


FastEthernetO/24 Enabled Disabled 

Lab 13 Configurations 
Swl Configuration 

Swl#show run 
Building configuration... 

Current configuration : 3453 bytes 
! 

version 12.1 
no service pad 

service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 





hostname Swl 


no logging console 
! 

ip subnet-zero 
vtp domain SECURITY 
vtp mode transparent 
! 

spanning-tree mode pvst 
no spanning-tree optimize bpdu transmission 
spanning-tree extend system-id 
! 

! 

interface FastEthernetO/1 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/2 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/3 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 



interface FastEthernetO/4 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/5 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/6 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/7 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 
! 

interface FastEthernetO/8 
no ip address 

storm-control broadcast level 15.00 10.00 
storm-control multicast level 80.00 50.00 
storm-control unicast level 95.00 75.00 
storm-control action trap 



interface FastEthernetO/9 
switchport protected 
no ip address 
! 

interface FastEthernet0/10 
switchport protected 
no ip address 
! 

interface FastEthernetO/11 
switchport protected 
no ip address 
! 

interface FastEthernetO/12 
switchport protected 
no ip address 
! 

interface FastEthernetO/13 
switchport protected 
no ip address 
! 

interface FastEthernetO/14 
switchport protected 
no ip address 
! 

interface FastEthernetO/15 
switchport protected 
no ip address 
! 

interface FastEthernetO/16 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/17 
no ip address 

snmp trap mac-notification added 



interface FastEthernetO/18 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/19 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernet0/20 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/21 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/22 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/23 
no ip address 

snmp trap mac-notification added 
! 

interface FastEthernetO/24 
no ip address 

snmp trap mac-notification added 
! 

interface GigabitEthernetO/1 
no ip address 
! 

interface GigabitEthernetO/2 
no ip address 



interface Vlanl 
no ip address 
no ip route-cache 
shutdown 
! 

ip http server 
! 

access-list 10 permit 192.168.1.254 
snmp-server community STRMCTRL RO 10 
snmp-server enable traps MAC-Notification 
snmp-server host 192.168.1.254 STRMCTRL 
! 

line con 0 
line vty 5 15 
! 

mac-address-table notification 
end 
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